Using Process Monitor

Sometimes a Google search on a complex issue just won't find the solution.  That's where Process Monitor comes in.  I have had to use Process Monitor a couple of times to fix issues that I knew weren't on the web (and maybe some that were).  In one case, one of my company's in-house apps wasn't allowing a user to use "Run as different user" for the app (which was a requirement to use it).  After using Process Monitor to pinpoint what exactly was happening at the point of failure, Process Monitor helped determine the issue where two files that resided in the Public profile needed to be moved/removed.  Without Process Monitor, I would have never figured this out (besides maybe weeks/months of trial and error) - and worse, even reimaging the machine wouldn't have fixed the issue.  Process Monitor can also help you quickly figure out where exactly in the registry a specific setting is in Windows, which helps with scripting/automation.

At first glance, Process Monitor is not an easy egg to crack.  You can easily get information overload from a couple of clicks in the program.  The power resides in how to filter and utilize this information at the point of failure and/or as you change settings in Windows.

We will disable the 'Location service' in Windows 10 settings as an example to find out where exactly this setting is in the registry.  First, obtain Process Monitor from here in case you missed the first link.  Open procmon.exe (no installation required) from the downloaded zip file.  The first thing you'll want to do is ensure Capture mode is off.  Click the magnifying glass icon (or press Ctrl-E) to disable the active process search.  The magnifying glass icon will show a red X over it when disabled.

Also, disable the AutoScroll option next to the Capture mode icon (shown disabled in the above picture).

Click the Clear icon (or Ctrl-X) to erase all processes on the list.

Open the desired settings window in Windows where you want to find the registry setting - in our case, it's under Settings - Location tab.  This can also be found by doing a Windows 10 search for Location privacy settings.  Look for the Location service option and ensure it's set to On.  (Because we want to turn it off, we want it in its original position.)

Here's the slightly tricky part - In Process Monitor, click the Capture (magnifying glass) icon to enable Capture mode, then, as quickly as you can, click the Location service option to Off, then switch to Process Monitor again and disable the Capture icon again.  You may notice other processes/functions appear besides the one we are looking for, but that's OK.  As it stands, we are looking at every little change on the system from the point we pressed the Capture icon on, then off.

This is a lot of information, even if only captured for a few seconds.  We want to filter this information by clicking Filter - Filter... (or Ctrl-L).  On the Filter menu, change the first dropdown box from Architecture to Operation, then the second dropdown to "is", then the third to "RegSetValue".  Make sure the last dropdown is set to 'Include'.  Click the Add button to add it to the list of Filters below, and ensure it's checked on the list, then click OK.

We now have a more manageable list of settings to pinpoint.  We know that one of these options is what we are looking for.

Generally we know that one registry change is only required, and since we see multiple "Explorer.EXE" values (under Process Name), we can rule those out.  This leaves us with svchost.exe and SystemSettings.exe (x2).  At this point, we can open RegEdit.exe to navigate to the shown key/data for the first SystemSettings.exe value.

The Value we are looking for is 'Deny', which looks like our winner.  We can further validate this by going back to the Location settings window and clicking it to the On position again.  Then we refresh the registry data (click another key, then click back to the original), At this point, we notice the Value field has changed to Allow (the original setting).  Therefore, we can now manually change the Value key to Deny (double-click it to change) in Regedit, then refresh the Location settings window.  The option is back to 'Off' again.  We have a winner!

Now, we can right-click the main key (on the left-hand side of Regedit) and click Export to save the file as a ".reg" file.  Give it a worthwhile name (such as LocationSetting.reg).

Since this exports the entire key, we want to remove any unneeded settings from the reg file we just saved.  Open the .reg file in Notepad, then delete the unneeded options.  Your .reg file should now show as the following:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}]
"Value"="Deny"

Save it, then test it by setting the Location Settings to On again, then open the reg file to import the info to the registry.  The setting should turn Off again.

That's it.  You are now one step closer to becoming a Windows troubleshooting master, despite how complex the issue at hand could be.

CreateShortcut.vbs - now with icons!

Per the last post, I expanded the CreateShortcut VBScript to include icon specification, in case you don't like the default icon (to make it look 'prettier' if needed). This adds a parameter for the icon location as well as icon index. Here is the code:

Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = WScript.Arguments(0)
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = WScript.Arguments(1)
if WScript.Arguments.count = 3 then
oLink.IconLocation = WScript.Arguments(2)
end if
oLink.Save

And the usage:

CreateShortcut.vbs "C:\Users\JoeSmith\Desktop\Excel.lnk" "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" "C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe,0"

This example creates an icon on JoeSmith's desktop for Excel, but replaces the icon with the default 'Office' icon instead of the Excel icon.  

The icon specification parameter is completely optional - you can still use the default icon by not specifying the 3rd parameter for icon location in the script usage and it will work fine.

I've found this particularly useful for batch files or internet shorcuts to replace those ugly default icons with prettier ones.

Tackling the HP Audio Driver Keylogger issue with SCCM

Here's a rundown of how I tackled the HP Audio Driver Keylogger issue.

1. Created a Config Item called "Conexant Log File Check", and used the below settings.

2. Created a Config Baseline, added the Config Item to it, then deployed to the Clients collection.
3. Created a collection off of the resultant collection based on the Non-compliance count, then deployed the Conexant Audio Driver application as Required to this collection.
4. The Conexant Audio Driver application was based on two Detection Method rules:

Since both of these driver versions were documented as being keyloggers, the driver could be used to automatically upgrade both versions.